Azure Active Directory Group Licensing Assignment Now Available

Microsoft now permits Azure Active Directory licensing to be assigned based on groups within an organization.

It may seem surprising, but the ability to assign licenses to groups of users is only just now at the "general availability" stage, according to a Microsoft Friday announcement. The general availability nomenclature signifies that Microsoft deems Azure AD group licensing assignment as being ready for production use by organizations.

Group assignment is perhaps a less tedious approach for organizations with lots of Azure AD end users to manage. Previously, IT pros could only assign Azure AD licenses individually, and if they wanted to then associate those licenses with certain groups within the organization, then they'd have to use PowerShell scripts, according to Microsoft's general document on Azure AD group-based licensing.

Microsoft's group-based licensing for Azure AD automates this process without using PowerShell scripts, per the document:

Any new members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are removed. This eliminates the need for automating license management via PowerShell to reflect changes in the organization and departmental structure on a per-user basis.

Microsoft's document suggested that organizations won't get double-licensed with the Azure AD group licensing approach.

"If a user is assigned same license from multiple sources, the license will be consumed only once," the document explained.

Right now, one requirement for using this feature is that the groups must be assigned using the Azure Portal. Here's how Microsoft described it:

Group-based licensing is currently available only through the Azure portal. If you primarily use other management portals for user and group management, such as the Office 365 portal, you can continue to do so. But you should use the Azure portal to manage licenses at group level.

It's possible to disable particular services when assigning a license to a group, which might be done if an organization isn't ready to use that service. Microsoft's example is disabling Yammer. It gets done using a toggle button.

The new group licensing assignment capability is available for organizations that have a paid or trial subscription to Azure AD Basic, Office 365 Enterprise E3, Office 365 A3 or higher subscription plans, and it'll work with other Microsoft services that have "user-level licensing." It can also be used when organizations have their local Active Directory synchronized with Azure AD via Microsoft's Azure AD Connect service.

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.